Skip to main content

NGFW Internal Scan

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook investigates a scan where the source is an internal IP address.

An attacker might initiate an internal scan for discovery, lateral movement and more.

Attacker's Goals:

An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative Actions:

  • Endpoint Investigation Plan playbook

Response Actions

The playbook's response actions are based on the Endpoint Investigation Plan playbook results. In that phase, the playbook will execute:

  • Auto endpoint isolation
  • Manual block indicators
  • Manual file quarantine


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Get endpoint details - Generic
  • Containment Plan
  • Account Enrichment - Generic v2.1
  • Endpoint Investigation Plan


This playbook does not use any integrations.


This playbook does not use any scripts.


  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
scannerIPThe scanner IP address.alert.hostipOptional
AutoCloseAlertWhether to close the alert automatically or manually, after an analyst's review.falseOptional
AutoContainmentWhether to execute automatically or manually the containment plan tasks:
* Block indicators
* Quarantine file
* Disable user
HostAutoContainmentWhether to execute endpoint isolation automatically or manually.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

NGFW Internal Scan